[Openswan Users] Debian packages needed.
Joost Kraaijeveld
J.Kraaijeveld at Askesis.nl
Thu Oct 7 22:24:51 CEST 2004
Hi Paul,
users-bounces at openswan.org schreef:
> Can someone provide me with an ipsec barf output in this 'non
> working' state without opportunistic encryptiom?
I do not question your helpfulness in any way (is this English???; anyway, I declare hereby that you have been always helpfull to me), and I know what my problem is: I do not have an ipsec.secrets to start with ( see attached barf file ;-)).
But my complaint is that I cannot find any info on how to make that file without disrupting my current Debian installation in any way (can it be done, how do I (re)use files etc.?). Should I create a ipsec.secrets into the /etc/ipsec.d directory structure or not? If so, why and how should I do that? If not, what does this directory structure mean in relation to the ipsec.conf file?
I am just a user, not a developer, of ipsec and OpenSwan. Ask me anything about C++ and I will be glad to answer it... I cannot know every thing of every thing I use in detail.
Groeten,
Joost Kraaijeveld
Askesis B.V.
Molukkenstraat 14
6524NB Nijmegen
tel: 024-3888063 / 06-51855277
fax: 024-3608416
e-mail: J.Kraaijeveld at Askesis.nl
web: www.askesis.nl
-------------- next part --------------
Unable to find KLIPS messages, typically found in /var/log/messages or equivalent. You may need to run Openswan for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration.
Unable to find Pluto messages, typically found in /var/log/secure or equivalent. You may need to run Openswan for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration.
Laudanum
Thu Oct 7 21:02:41 CEST 2004
+ _________________________ version
+ ipsec --version
Linux Openswan U2.1.3/K2.6.7-1-686 (native) (native)
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.6.7-1-686 (dilinger at toaster.hq.voxel.net) (gcc version 3.3.4 (Debian 1:3.3.4-2)) #1 Thu Jul 8 05:36:53 EDT 2004
+ _________________________ proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
82.161.124.0 0.0.0.0 255.255.254.0 U 0 0 0 eth2
172.31.0.0 172.16.0.1 255.255.0.0 UG 0 0 0 eth0
172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 82.161.124.1 0.0.0.0 UG 0 0 0 eth2
+ _________________________ proc/net/ipsec_spi
+ test -r proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ setkey-D
+ setkey -D
No SAD entries.
+ _________________________ setkey-D-P
+ setkey -D -P
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Oct 6 14:22:28 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=51 seq=7 pid=11376
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Oct 6 14:22:28 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=35 seq=6 pid=11376
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Oct 6 14:22:28 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=19 seq=5 pid=11376
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Oct 6 14:22:28 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=3 seq=4 pid=11376
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Oct 6 14:22:28 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=60 seq=3 pid=11376
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Oct 6 14:22:28 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=44 seq=2 pid=11376
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Oct 6 14:22:28 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=28 seq=1 pid=11376
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Oct 6 14:22:28 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=12 seq=0 pid=11376
refcnt=1
+ _________________________ proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 172.16.255.254
000 interface eth0:1/eth0:1 192.168.1.254
000 interface eth2/eth2 82.161.125.16
000 %myid = (none)
000 debug none
000
000
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:C0:26:76:32:D2
inet addr:172.16.255.254 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::2c0:26ff:fe76:32d2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:180634 errors:0 dropped:0 overruns:0 frame:0
TX packets:230269 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:33059247 (31.5 MiB) TX bytes:198171258 (188.9 MiB)
Interrupt:9 Base address:0xec00
eth0:1 Link encap:Ethernet HWaddr 00:C0:26:76:32:D2
inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:9 Base address:0xec00
eth1 Link encap:Ethernet HWaddr 00:C0:26:76:3D:50
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:10 Base address:0xe800
eth2 Link encap:Ethernet HWaddr 00:B0:D0:E7:B5:88
inet addr:82.161.125.16 Bcast:82.161.125.255 Mask:255.255.254.0
inet6 addr: fe80::2b0:d0ff:fee7:b588/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:328780 errors:0 dropped:0 overruns:0 frame:0
TX packets:279210 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:235205524 (224.3 MiB) TX bytes:40444253 (38.5 MiB)
Interrupt:5 Base address:0xe480
gre0 Link encap:UNSPEC HWaddr 00-00-00-00-30-30-30-3A-00-00-00-00-00-00-00-00
NOARP MTU:1476 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:34324 errors:0 dropped:0 overruns:0 frame:0
TX packets:34324 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:14798152 (14.1 MiB) TX bytes:14798152 (14.1 MiB)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tunl0 Link encap:IPIP Tunnel HWaddr
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.1.3/K2.6.7-1-686 (native) (native)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
ipsec showhostkey: no pubkey line found -- key information old?
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for native IPsec stack support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: Laudanum [MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: 16.125.161.82.in-addr.arpa. [MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD, link ok
product info: vendor 00:00:00, model 0 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
SIOCGMIIPHY on 'eth1' failed: Invalid argument
eth2: negotiated 100baseTx-FD, link ok
product info: vendor 00:10:18, model 23 rev 7
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
localhost.localdomain
+ _________________________ hostname/ipaddress
+ hostname --ip-address
127.0.0.1
+ _________________________ uptime
+ uptime
21:02:42 up 1 day, 6:41, 1 user, load average: 0.13, 0.10, 0.15
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
5 0 1504 1 20 0 2540 1228 wait4 S ? 0:00 /bin/bash /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal --keep_alive --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
5 0 1505 1504 20 0 2540 1236 wait4 S ? 0:00 \_ /bin/bash /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend --strictcrlpolicy --nat_traversal --keep_alive --force_keepalive --disable_port_floating --virtual_private --crlcheckinterval 0 --dump --opts --stderrlog --wait no --pre --post --log daemon.error --pid /var/run/pluto.pid
4 0 1506 1505 15 0 2300 872 - S ? 0:00 | \_ /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --uniqueids
4 0 1586 1506 19 0 1448 272 - S ? 0:00 | \_ _pluto_adns
4 0 1507 1504 15 0 2516 1204 pipe_w S ? 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
4 0 1508 1 16 0 1516 500 pipe_w S ? 0:00 logger -s -p daemon.error -t ipsec__plutorun
4 0 11248 9799 20 0 2336 1092 - R+ pts/4 0:00 \_ /bin/sh /usr/lib/ipsec/barf
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth2
routevirt=ipsec0
routeaddr=82.161.125.16
routenexthop=82.161.124.1
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.12 2004/01/20 19:37:13 sam Exp $
# This file: /usr/share/doc/freeswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
#
# Help:
# http://www.freeswan.org/freeswan_trees/freeswan-2.1.1/doc/quickstart.html
# http://www.freeswan.org/freeswan_trees/freeswan-2.1.1/doc/config.html
# http://www.freeswan.org/freeswan_trees/freeswan-2.1.1/doc/adv_config.html
#
# Policy groups are enabled by default. See:
# http://www.freeswan.org/freeswan_trees/freeswan-2.1.1/doc/policygroups.html
#
# Examples:
# http://www.freeswan.org/freeswan_trees/freeswan-2.1.1/doc/examples
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=all
# plutodebug=dns
# Add connections here.
# sample VPN connection
#sample# conn sample
#sample# # Left security gateway, subnet behind it, next hop toward right.
#sample# left=10.0.0.1
#sample# leftsubnet=172.16.0.0/24
#sample# leftnexthop=10.22.33.44
#sample# # Right security gateway, subnet behind it, next hop toward left.
#sample# right=10.12.12.1
#sample# rightsubnet=192.168.0.0/24
#sample# rightnexthop=10.101.102.103
#sample# # To authorize this connection, but not actually start it, at startup,
#sample# # uncomment this.
#sample# #auto=start
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
# RCSID $Id: ipsec.secrets.proto,v 1.2 2004/03/13 17:13:47 rene Exp $
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "[sums to ef67...]".
: RSA {
/tmp/ipsec-postinst.be0f9Q
}
: RSA {
/tmp/ipsec-postinst.bISzH8
}
: RSA {
/tmp/ipsec-postinst.XlsM2g
}
+ '[' ']'
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 1152
-rwxr-xr-x 1 root root 15292 Jun 18 09:18 _confread
-rwxr-xr-x 1 root root 4480 Jun 18 09:18 _copyright
-rwxr-xr-x 1 root root 2380 Jun 18 09:18 _include
-rwxr-xr-x 1 root root 1476 Jun 18 09:18 _keycensor
-rwxr-xr-x 1 root root 9784 Jun 18 09:18 _pluto_adns
-rwxr-xr-x 1 root root 3586 Jun 18 09:18 _plutoload
-rwxr-xr-x 1 root root 6766 Jun 18 09:18 _plutorun
-rwxr-xr-x 1 root root 10405 Jun 18 09:18 _realsetup
-rwxr-xr-x 1 root root 1976 Jun 18 09:18 _secretcensor
-rwxr-xr-x 1 root root 8430 Jun 18 09:18 _startklips
-rwxr-xr-x 1 root root 11261 Jun 18 09:18 _updown
-rwxr-xr-x 1 root root 7572 Jun 18 09:18 _updown_x509
-rwxr-xr-x 1 root root 15693 Jun 18 09:18 auto
-rwxr-xr-x 1 root root 10167 Jun 18 09:18 barf
-rwxr-xr-x 1 root root 816 Jun 18 09:18 calcgoo
-rwxr-xr-x 1 root root 80824 Jun 18 09:18 eroute
-rwxr-xr-x 1 root root 16012 Jun 18 09:18 ikeping
-rwxr-xr-x 1 root root 1942 Jun 18 09:18 ipsec_pr.template
-rwxr-xr-x 1 root root 60696 Jun 18 09:18 klipsdebug
-rwxr-xr-x 1 root root 2462 Jun 18 09:18 look
-rwxr-xr-x 1 root root 7118 Jun 18 09:18 mailkey
-rwxr-xr-x 1 root root 16190 Jun 18 09:18 manual
-rwxr-xr-x 1 root root 1874 Jun 18 09:18 newhostkey
-rwxr-xr-x 1 root root 53740 Jun 18 09:18 pf_key
-rwxr-xr-x 1 root root 468184 Jun 18 09:18 pluto
-rwxr-xr-x 1 root root 6584 Jun 18 09:18 ranbits
-rwxr-xr-x 1 root root 18584 Jun 18 09:18 rsasigkey
-rwxr-xr-x 1 root root 766 Jun 18 09:18 secrets
-rwxr-xr-x 1 root root 17570 Jun 18 09:18 send-pr
lrwxrwxrwx 1 root root 17 Sep 8 11:42 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Jun 18 09:18 showdefaults
-rwxr-xr-x 1 root root 4322 Jun 18 09:18 showhostkey
-rwxr-xr-x 1 root root 89176 Jun 18 09:18 spi
-rwxr-xr-x 1 root root 68440 Jun 18 09:18 spigrp
-rwxr-xr-x 1 root root 9744 Jun 18 09:18 tncfg
-rwxr-xr-x 1 root root 10189 Jun 18 09:18 verify
-rwxr-xr-x 1 root root 39224 Jun 18 09:18 whack
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/lib/ipsec
total 1152
-rwxr-xr-x 1 root root 15292 Jun 18 09:18 _confread
-rwxr-xr-x 1 root root 4480 Jun 18 09:18 _copyright
-rwxr-xr-x 1 root root 2380 Jun 18 09:18 _include
-rwxr-xr-x 1 root root 1476 Jun 18 09:18 _keycensor
-rwxr-xr-x 1 root root 9784 Jun 18 09:18 _pluto_adns
-rwxr-xr-x 1 root root 3586 Jun 18 09:18 _plutoload
-rwxr-xr-x 1 root root 6766 Jun 18 09:18 _plutorun
-rwxr-xr-x 1 root root 10405 Jun 18 09:18 _realsetup
-rwxr-xr-x 1 root root 1976 Jun 18 09:18 _secretcensor
-rwxr-xr-x 1 root root 8430 Jun 18 09:18 _startklips
-rwxr-xr-x 1 root root 11261 Jun 18 09:18 _updown
-rwxr-xr-x 1 root root 7572 Jun 18 09:18 _updown_x509
-rwxr-xr-x 1 root root 15693 Jun 18 09:18 auto
-rwxr-xr-x 1 root root 10167 Jun 18 09:18 barf
-rwxr-xr-x 1 root root 816 Jun 18 09:18 calcgoo
-rwxr-xr-x 1 root root 80824 Jun 18 09:18 eroute
-rwxr-xr-x 1 root root 16012 Jun 18 09:18 ikeping
-rwxr-xr-x 1 root root 1942 Jun 18 09:18 ipsec_pr.template
-rwxr-xr-x 1 root root 60696 Jun 18 09:18 klipsdebug
-rwxr-xr-x 1 root root 2462 Jun 18 09:18 look
-rwxr-xr-x 1 root root 7118 Jun 18 09:18 mailkey
-rwxr-xr-x 1 root root 16190 Jun 18 09:18 manual
-rwxr-xr-x 1 root root 1874 Jun 18 09:18 newhostkey
-rwxr-xr-x 1 root root 53740 Jun 18 09:18 pf_key
-rwxr-xr-x 1 root root 468184 Jun 18 09:18 pluto
-rwxr-xr-x 1 root root 6584 Jun 18 09:18 ranbits
-rwxr-xr-x 1 root root 18584 Jun 18 09:18 rsasigkey
-rwxr-xr-x 1 root root 766 Jun 18 09:18 secrets
-rwxr-xr-x 1 root root 17570 Jun 18 09:18 send-pr
lrwxrwxrwx 1 root root 17 Sep 8 11:42 setup -> /etc/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Jun 18 09:18 showdefaults
-rwxr-xr-x 1 root root 4322 Jun 18 09:18 showhostkey
-rwxr-xr-x 1 root root 89176 Jun 18 09:18 spi
-rwxr-xr-x 1 root root 68440 Jun 18 09:18 spigrp
-rwxr-xr-x 1 root root 9744 Jun 18 09:18 tncfg
-rwxr-xr-x 1 root root 10189 Jun 18 09:18 verify
-rwxr-xr-x 1 root root 39224 Jun 18 09:18 whack
+ _________________________ ipsec/updowns
++ ls /usr/lib/ipsec
++ egrep updown
+ cat /usr/lib/ipsec/_updown
#! /bin/sh
# iproute2 version, default updown script
# Copyright (C) 2002. Michael Richardson
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown.ip2.in,v 1.5.2.2 2004/03/21 05:23:31 mcr Exp $
# CAUTION: Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make. If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# FreeS/WAN use yours instead of this default one.
LC_ALL=C export LC_ALL
# things that this script gets (from ipsec_pluto(8) man page)
#
#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
# is upwardly compatible with version 1.0.
#
# PLUTO_VERB
# specifies the name of the operation to be performed
# (prepare-host, prepare-client, up-host, up-client,
# down-host, or down-client). If the address family
# for security gateway to security gateway communica
# tions is IPv6, then a suffix of -v6 is added to the
# verb.
#
# PLUTO_CONNECTION
# is the name of the connection for which we are
# routing.
#
# PLUTO_NEXT_HOP
# is the next hop to which packets bound for the peer
# must be sent.
#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_ME
# is the IP address of our host.
#
# PLUTO_MY_CLIENT
# is the IP address / count of our client subnet. If
# the client is just the host, this will be the
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
# PLUTO_MY_CLIENT_NET
# is the IP address of our client net. If the client
# is just the host, this will be the host's own IP
# address.
#
# PLUTO_MY_CLIENT_MASK
# is the mask for our client net. If the client is
# just the host, this will be 255.255.255.255.
#
# PLUTO_MY_SOURCEIP
# if non-empty, then the source address for the route will be
# set to this IP address.
#
# PLUTO_PEER
# is the IP address of our peer.
#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
# PLUTO_PEER_CLIENT_NET
# is the IP address of the peer's client net. If the
# client is just the peer, this will be the peer's
# own IP address.
#
# PLUTO_PEER_CLIENT_MASK
# is the mask for the peer's client net. If the
# client is just the peer, this will be
# 255.255.255.255.
#
# PLUTO_CONNECTION_TYPE
#
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
ip route flush cache
}
downroute() {
doroute del
ip route flush cache
}
uprule() {
# policy based advanced routing
if [ -n "$PLUTO_IPROUTETABLE" ] && [ "$PLUTO_IPROUTETABLE" != "main" ]
then
dorule del
dorule add
fi
# virtual sourceip support
if [ -n "$PLUTO_MY_SOURCEIP" ] && ["$PLUTO_MY_SOURCEIP" != "no" ]
then
addsource
changesource
fi
ip route flush cache
}
downrule() {
if [ -n "$PLUTO_MY_SOURCEIP" ] && [ "$PLUTO_IPROUTETABLE" != "main" ]
then
dorule del
ip route flush cache
fi
}
addsource() {
st=0
if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
then
it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: addsource \`$it' failed ($oops)" >&2
fi
fi
return $st
}
changesource() {
st=0
parms="$PLUTO_PEER_CLIENT"
parms2="dev $PLUTO_INTERFACE"
parms3="src ${PLUTO_MY_SOURCEIP%/*}"
if [ -n "$PLUTO_IPROUTETABLE" ] && [ "$PLUTO_IPROUTETABLE" != "main" ]
then
parms3="$parms3 table '$PLUTO_IPROUTETABLE'"
fi
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# opportunistic encryption work around
it=
;;
esac
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: changesource \`$it' failed ($oops)" >&2
fi
return $st
}
dorule() {
st=0
it2=
iprule="from $PLUTO_MY_CLIENT"
iprule2="to $PLUTO_PEER_CLIENT table $PLUTO_IPROUTETABLE"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# opportunistic encryption work around
st=0
;;
*)
if test "$PLUTO_MY_SOURCEIP" = "no"
then
if test "$PLUTO_ME" = "${PLUTO_MY_CLIENT%/*}"
then
it="ip rule $1 iif lo $iprule2"
else
it="ip rule $1 $iprule $iprule2"
fi
else
if test "${PLUTO_MY_SOURCEIP%/*}" = "${PLUTO_MY_CLIENT%/*}"
then
it="ip rule $1 iif lo $iprule2"
else
it="ip rule $1 $iprule $iprule2"
it2="ip rule $1 iif lo $iprule2"
fi
fi
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such process'*)
# This is what ip rule gives
# for "could not find such a rule"
oops=
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: dorule \`$it' failed ($oops)" >&2
fi
if test "$st" = "0" -a -n "$it2"
then
oops="`eval $it2 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
case "$oops" in
'RTNETLINK answers: No such process'*)
# This is what ip rule gives
# for "could not find such a rule"
oops=
st=0
;;
esac
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: dorule \`$it2' failed ($oops)" >&2
fi
fi
;;
esac
return $st
}
doroute() {
st=0
parms="$PLUTO_PEER_CLIENT"
parms2=
if [ -n "$PLUTO_NEXT_HOP" ]
then
parms2="via $PLUTO_NEXT_HOP"
fi
parms2="$parms2 dev $PLUTO_INTERFACE"
parms3=
if [ -n "$PLUTO_IPROUTETABLE" ] && [ "$PLUTO_IPROUTETABLE" != "main" ]
then
parms3="table $PLUTO_IPROUTETABLE"
fi
if [ -z "$PLUTO_MY_SOURCEIP" ]
then
if [ -f /etc/sysconfig/defaultsource ]
then
. /etc/sysconfig/defaultsource
if [ -n "$DEFAULTSOURCE" ]
then
PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
fi
fi
fi
if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
then
addsource
parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
fi
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# opportunistic encryption work around
# need to provide route that eclipses default, without
# replacing it.
it="ip route $1 0.0.0.0/1 $parms2 &&
ip route $1 128.0.0.0/1 $parms2"
;;
*) it="ip route $1 $parms $parms2 $parms3"
;;
esac
oops="`eval $it 2>&1`"
st=$?
if test " $oops" = " " -a " $st" != " 0"
then
oops="silent error, exit status $st"
fi
if test " $oops" != " " -o " $st" != " 0"
then
echo "$0: doroute \`$it' failed ($oops)" >&2
fi
return $st
}
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# need to provide route that eclipses default, without
# replacing it.
parms1="0.0.0.0/1"
parms2="128.0.0.0/1"
it="ip route del $parms1 2>&1 ; ip route del $parms2 2>&1"
oops="`ip route del $parms1 2>&1 ; ip route del $parms2 2>&1`"
;;
*)
parms="$PLUTO_PEER_CLIENT"
it="ip route del $parms 2>&1"
oops="`ip route del $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
*'RTNETLINK answers: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ cat /usr/lib/ipsec/_updown_x509
#! /bin/sh
#
# customized updown script
#
# logging of VPN connections
#
# tag put in front of each log entry:
TAG=vpn
#
# syslog facility and priority used:
FAC_PRIO=local0.notice
#
# to create a special vpn logging file, put the following line into
# the syslog configuration file /etc/syslog.conf:
#
# local0.notice -/var/log/vpn
#
# check interface version
case "$PLUTO_VERSION" in
1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
echo "$0: called by obsolete Pluto?" >&2
exit 2
;;
1.*) ;;
*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
exit 2
;;
esac
# check parameter(s)
case "$1:$*" in
':') # no parameters
;;
ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
;;
custom:*) # custom parameters (see above CAUTION comment)
;;
*) echo "$0: unknown parameters \`$*'" >&2
exit 2
;;
esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
doroute add
}
downroute() {
doroute del
}
doroute() {
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
parms2="dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP"
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
it="route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&"
it="$it route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2"
route $1 -net 0.0.0.0 netmask 128.0.0.0 $parms2 &&
route $1 -net 128.0.0.0 netmask 128.0.0.0 $parms2
;;
*) it="route $1 $parms $parms2"
route $1 $parms $parms2
;;
esac
st=$?
if test $st -ne 0
then
# route has already given its own cryptic message
echo "$0: \`$it' failed" >&2
if test " $1 $st" = " add 7"
then
# another totally undocumented interface -- 7 and
# "SIOCADDRT: Network is unreachable" means that
# the gateway isn't reachable.
echo "$0: (incorrect or missing nexthop setting??)" >&2
fi
fi
return $st
}
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
S_MY_PORT="--sport $PLUTO_MY_PORT"
D_MY_PORT="--dport $PLUTO_MY_PORT"
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
S_PEER_PORT="--sport $PLUTO_PEER_PORT"
D_PEER_PORT="--dport $PLUTO_PEER_PORT"
fi
# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
# delete possibly-existing route (preliminary to adding a route)
case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
"0.0.0.0/0.0.0.0")
# horrible kludge for obscure routing bug with opportunistic
parms1="-net 0.0.0.0 netmask 128.0.0.0"
parms2="-net 128.0.0.0 netmask 128.0.0.0"
it="route del $parms1 2>&1 ; route del $parms2 2>&1"
oops="`route del $parms1 2>&1 ; route del $parms2 2>&1`"
;;
*)
parms="-net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK"
it="route del $parms 2>&1"
oops="`route del $parms 2>&1`"
;;
esac
status="$?"
if test " $oops" = " " -a " $status" != " 0"
then
oops="silent error, exit status $status"
fi
case "$oops" in
'SIOCDELRT: No such process'*)
# This is what route (currently -- not documented!) gives
# for "could not find such a route".
oops=
status=0
;;
esac
if test " $oops" != " " -o " $status" != " 0"
then
echo "$0: \`$it' failed ($oops)" >&2
fi
exit $status
;;
route-host:*|route-client:*)
# connection to me or my client subnet being routed
uproute
;;
unroute-host:*|unroute-client:*)
# connection to me or my client subnet being unrouted
downroute
;;
up-host:*)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
fi
;;
down-host:*)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
fi
;;
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO \
"+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT -j ACCEPT
#
if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
else
logger -t $TAG -p $FAC_PRIO -- \
"- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
fi
;;
up-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
down-client:ipfwadm)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
;;
esac
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo:14798152 34324 0 0 0 0 0 0 14798152 34324 0 0 0 0 0 0
gre0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
tunl0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
eth0:33059247 180634 0 0 0 0 0 0 198171258 230269 0 0 0 0 0 0
eth1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
eth2:235205961 328783 0 0 0 0 0 0 40444493 279213 0 0 0 0 0 0
sit0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
eth0 0001A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth2 007CA152 00000000 0001 0 0 0 00FEFFFF 0 0 0
eth0 00001FAC 010010AC 0003 0 0 0 0000FFFF 0 0 0
eth0 000010AC 00000000 0001 0 0 0 0000FFFF 0 0 0
eth2 00000000 017CA152 0003 0 0 0 00000000 0 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth2/rp_filter lo/rp_filter
all/rp_filter:1
default/rp_filter:1
eth0/rp_filter:1
eth2/rp_filter:1
lo/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux Laudanum 2.6.7-1-686 #1 Thu Jul 8 05:36:53 EDT 2004 i686 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ test -r /etc/fedora-release
+ _________________________ proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'native PFKEY (2.6.7-1-686) support detected '
native PFKEY (2.6.7-1-686) support detected
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ ipfwadm -F -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________
+ ipfwadm -I -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________
+ ipfwadm -O -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________
+ ipfwadm -M -l -n -e
Generic IP Firewall Chains not in this kernel
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ ipchains -L -v -n
ipchains: Incompatible with this kernel
+ _________________________
+ ipchains -M -L -v -n
ipchains: cannot open file `/proc/net/ip_masquerade'
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 232 packets, 19223 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 227 packets, 24306 bytes)
pkts bytes target prot opt in out source destination
+ _________________________
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 12198 packets, 672K bytes)
pkts bytes target prot opt in out source destination
64 3068 DNAT tcp -- * * 0.0.0.0/0 82.161.125.16 tcp dpt:80 to:172.16.0.1:80
Chain POSTROUTING (policy ACCEPT 29139 packets, 2270K bytes)
pkts bytes target prot opt in out source destination
5167 266K SNAT all -- * eth2 172.16.0.0/16 0.0.0.0/0 to:82.161.125.16
1938 93367 SNAT all -- * eth2 192.168.1.0/24 0.0.0.0/0 to:82.161.125.16
Chain OUTPUT (policy ACCEPT 29075 packets, 2267K bytes)
pkts bytes target prot opt in out source destination
+ _________________________
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 198 packets, 16667 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 198 packets, 16667 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 201 packets, 20918 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 201 packets, 20918 bytes)
pkts bytes target prot opt in out source destination
+ _________________________ proc/modules
+ test -f /proc/modules
+ cat /proc/modules
iptable_mangle 2880 0 - Live 0xd0a8f000
iptable_filter 2880 0 - Live 0xd0a8a000
ipv6 255488 16 - Live 0xd0b3c000
deflate 3904 0 - Live 0xd0828000
zlib_deflate 22776 1 deflate, Live 0xd0ada000
twofish 38656 0 - Live 0xd0ae8000
serpent 13632 0 - Live 0xd0ad5000
aes 32608 0 - Live 0xd0acc000
blowfish 9984 0 - Live 0xd0ac8000
des 11712 0 - Live 0xd0ac4000
sha256 9664 0 - Live 0xd0ac0000
sha1 8576 0 - Live 0xd0abc000
crypto_null 2304 0 - Live 0xd08f8000
xfrm_user 15748 0 - Live 0xd0a6d000
ipcomp 8352 0 - Live 0xd0a86000
esp4 10912 0 - Live 0xd0917000
ah4 8128 0 - Live 0xd090c000
af_key 33936 0 - Live 0xd0a91000
af_packet 22376 2 - Live 0xd09bd000
8139cp 20672 0 - Live 0xd0a66000
uhci_hcd 32880 0 - Live 0xd0a7c000
usbcore 114784 3 uhci_hcd, Live 0xd0a9e000
hw_random 5460 0 - Live 0xd088c000
pci_hotplug 34640 0 - Live 0xd0a72000
intel_agp 19836 1 - Live 0xd09b7000
evdev 9568 0 - Live 0xd091b000
pcspkr 3592 0 - Live 0xd088a000
psmouse 20360 0 - Live 0xd091f000
floppy 61204 0 - Live 0xd09c4000
parport_pc 35008 0 - Live 0xd09a5000
parport 41832 1 parport_pc, Live 0xd0999000
3c59x 38952 0 - Live 0xd098e000
agpgart 34152 1 intel_agp, Live 0xd0984000
capability 4520 0 - Live 0xd0909000
commoncap 7200 1 capability, Live 0xd0906000
8139too 26112 0 - Live 0xd090f000
mii 5120 2 8139cp,8139too, Live 0xd0903000
crc32 4320 2 8139cp,8139too, Live 0xd0900000
ipip 10564 0 - Live 0xd08f4000
ip_gre 13280 0 - Live 0xd08c6000
ipt_REDIRECT 2208 0 - Live 0xd0839000
iptable_nat 25100 2 ipt_REDIRECT, Live 0xd0853000
ip_tables 18432 4 iptable_mangle,iptable_filter,ipt_REDIRECT,iptable_nat, Live 0xd087b000
ip_conntrack 35392 2 ipt_REDIRECT,iptable_nat, Live 0xd08ea000
ide_cd 43332 0 - Live 0xd08dc000
cdrom 40352 1 ide_cd, Live 0xd08d1000
rtc 12760 0 - Live 0xd084e000
ext3 127144 1 - Live 0xd0925000
jbd 62264 1 ext3, Live 0xd088f000
mbcache 9348 1 ext3, Live 0xd081b000
ide_disk 19264 3 - Live 0xd08fa000
ide_generic 1408 0 - Live 0xd08e8000
piix 13440 1 - Live 0xd08cc000
ide_core 142808 4 ide_cd,ide_disk,ide_generic,piix, Live 0xd08a2000
sd_mod 21728 0 - Live 0xd083b000
ata_piix 8004 0 - Live 0xd0823000
libata 41700 1 ata_piix, Live 0xd0842000
scsi_mod 125004 2 sd_mod,libata, Live 0xd085b000
unix 28624 159 - Live 0xd082c000
font 8320 0 - Live 0xd081f000
vesafb 6656 0 - Live 0xd0812000
cfbcopyarea 3840 1 vesafb, Live 0xd0819000
cfbimgblt 3040 1 vesafb, Live 0xd0817000
cfbfillrect 3776 1 vesafb, Live 0xd0815000
+ _________________________ proc/meminfo
+ cat /proc/meminfo
MemTotal: 255920 kB
MemFree: 4216 kB
Buffers: 16748 kB
Cached: 75368 kB
SwapCached: 0 kB
Active: 186044 kB
Inactive: 41980 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 255920 kB
LowFree: 4216 kB
SwapTotal: 497972 kB
SwapFree: 497972 kB
Dirty: 244 kB
Writeback: 0 kB
Mapped: 81144 kB
Slab: 19648 kB
Committed_AS: 155204 kB
PageTables: 532 kB
VmallocTotal: 770040 kB
VmallocUsed: 3224 kB
VmallocChunk: 766472 kB
+ _________________________ proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
++ uname -r
+ test -f /lib/modules/2.6.7-1-686/build/.config
+ echo 'no .config file found, cannot list kernel properties'
no .config file found, cannot list kernel properties
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.
#
# First some standard logfiles. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
uucp.* /var/log/uucp.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
# Logging for INN news system
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some `catch-all' logfiles.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.crit;news.err;news.notice;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
search demon.nl
nameserver 194.159.73.136
nameserver 194.159.73.138
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 8
drwxr-xr-x 5 root root 4096 Jul 26 03:19 2.6.7-1-686
drwxr-xr-x 4 root root 4096 Sep 8 08:48 2.4.26-1-686
+ _________________________ proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c0216be0 T netif_rx
c0216be0 U netif_rx [ipv6]
c0216be0 U netif_rx [3c59x]
c0216be0 U netif_rx [ipip]
c0216be0 U netif_rx [ip_gre]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
/usr/lib/ipsec/barf: line 128: nm: command not found
2.6.7-1-686:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '1,$p' /dev/null
+ egrep -i 'ipsec|klips|pluto'
+ cat
+ _________________________ plog
+ sed -n '1,$p' /dev/null
+ egrep -i pluto
+ cat
+ _________________________ date
+ date
Thu Oct 7 21:02:44 CEST 2004
More information about the Users
mailing list